Server Side Encryption: S3 <-> KMS to encrypt data
SSE-S3: AWS S3 manages its own keys (rotated every month)
Request Header - x-amz-server-side-encryption(AES256)
SSE-KMS: Customer manages keys in KMS
Request Headers - x-amz-server-side-encryption(aws:kms) and x-amz-serverside-encryption-aws-kms-key-id(ARN for key in KMS)
SSE-C: Customer sends key with request (HTTPS mandatory)
S3 performs encryption and decryption without storing the key
Use HTTPS endpoints (secure data in transit)
All AWS services (including S3) provides HTTPS endpoints
Client Side Encryption: Client manages encryption
Client sends encrypted data to AWS service
AWS will not be aware of master key or data key
AWS service stores data as is
Use a client library (Amazon S3 Encryption Client)